Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Running a Software Security Program with Open Source Tools (Course)

3,188 views

Published on

Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, Brakeman, Agnitio, w3af, OWASP Zed Attack Proxy (ZAP), gauntlt, and ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.

Published in: Technology
  • I like this service ⇒ www.WritePaper.info ⇐ from Academic Writers. I don't have enough time write it by myself.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • My personal experience with research paper writing services was highly positive. I sent a request to ⇒ HelpWriting.net ⇐ and found a writer within a few minutes. Because I had to move house and I literally didn’t have any time to sit on a computer for many hours every evening. Thankfully, the writer I chose followed my instructions to the letter. I know we can all write essays ourselves. For those in the same situation I was in, I recommend ⇒ HelpWriting.net ⇐.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating direct: ♥♥♥ http://bit.ly/2ZDZFYj ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ❶❶❶ http://bit.ly/2ZDZFYj ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Running a Software Security Program with Open Source Tools (Course)

  1. 1. © Copyright 2013 Denim Group - All Rights Reserved Running a Software Security Program! on Open Source Tools! ! Dan Cornell! CTO, Denim Group! @danielcornell
  2. 2. © Copyright 2013 Denim Group - All Rights Reserved 1 My Background •  Dan Cornell, founder and CTO of Denim Group •  Software developer by background (Java, .NET, etc) •  OWASP San Antonio
  3. 3. © Copyright 2013 Denim Group - All Rights Reserved Denim Group Background •  Secure software services and products company –  Builds secure software –  Helps organizations assess and mitigate risk of in-house developed and third party software –  Provides classroom training and e-Learning so clients can build software securely •  Software-centric view of application security –  Application security experts are practicing developers –  Development pedigree translates to rapport with development managers –  Business impact: shorter time-to-fix application vulnerabilities •  Culture of application security innovation and contribution –  Develops open source tools to help clients mature their software security programs •  Remediation Resource Center, ThreadFix –  OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI –  World class alliance partners accelerate innovation to solve client problems 2
  4. 4. © Copyright 2013 Denim Group - All Rights Reserved Course Abstract Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely- available tools that they can use to implement portions of these programs. 3
  5. 5. © Copyright 2013 Denim Group - All Rights Reserved Agenda •  So You Want To Roll Out a Software Security Program? •  Software Assurance Maturity Model (OpenSAMM) •  Components Of Your Software Security Program –  Governance –  Construction –  Verification –  Deployment •  Conclusions / Questions 4
  6. 6. © Copyright 2013 Denim Group - All Rights Reserved So You Want To Roll Out a Software Security Program? •  Great! •  What a software security program ISN’T –  Question: “What are you doing to address software security concerns?” –  Answer: “We bought scanner XYZ” •  What a software security program IS –  People, process, tools (naturally) –  Set of activities intended to repeatedly produce appropriately-secure software 5
  7. 7. © Copyright 2013 Denim Group - All Rights Reserved Challenges Rolling Out Software Security Programs •  Resources –  Raw budget and cost issues –  Level of effort issues •  Resistance: requires organizational change –  Apparently people hate this •  Open source tools –  Can help with raw budget issues –  May exacerbate problems with level of effort •  View the rollout as a multi-stage process –  Not one magical effort –  Use short-term successes and gains to fuel further change 6
  8. 8. © Copyright 2013 Denim Group - All Rights Reserved Let’s Create the Class Virtual Machine •  Get VirtualBox if you do not already have it –  https://www.virtualbox.org/ •  Get the Ubuntu image if you do not already have it –  http://www.ubuntu.com/ –  ubuntu-13.10-desktop-i386.iso •  Run VirtualBox •  Click “New” 7
  9. 9. © Copyright 2013 Denim Group - All Rights Reserved Creating the VM •  Name: –  Whatever –  I called mine “OWASP_Course” •  Type: Linux •  Version: Ubuntu •  Memory Size: –  I used 4096 MB –  More is better. If you use less you might have issues •  Hard Drive: –  Create a virtual hard drive now 8
  10. 10. © Copyright 2013 Denim Group - All Rights Reserved Creating the VM •  Hard Drive File Type –  Whatever –  I used “VDI (VirtualBox Disk Image)” •  Storage on Physical Hard Drive –  Whatever –  I used “Dynamically allocated” •  File Location and Size: –  I used “OWASP_Course” –  I used 16 GB. More is better. (Default 8 GB is NOT enough) 9
  11. 11. © Copyright 2013 Denim Group - All Rights Reserved Install the OS •  Click “Start” •  Select the Ubuntu ISO image •  Select “Install Ubuntu” •  Click “Download updates while installing” •  Select “Erase disk and install Ubuntu” 10
  12. 12. © Copyright 2013 Denim Group - All Rights Reserved Install the OS •  Set your location and keyboard type •  Enter user info •  Wait •  Reboot •  Congratulations! •  (Do yourself a favor and put a terminal icon on the launcher) 11
  13. 13. © Copyright 2013 Denim Group - All Rights Reserved Software Assurance Maturity Model (OpenSAMM) •  Open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks racing the organization •  Useful for: –  Evaluating an organization’s existing software security practices –  Building a balanced software security program in well-defined iterations –  Demonstrating concrete improvements to a security assurance program –  Defining and measuring security-related activities within an organization •  Main website: –  http://www.opensamm.org/ 12
  14. 14. © Copyright 2013 Denim Group - All Rights Reserved Using OpenSAMM You Can… •  Evaluate an organization s existing software security practices •  Build a balanced software security assurance program in well- defined iterations •  Demonstrate concrete improvements to a security assurance program •  Define and measure security-related activities throughout an organization [This slide content © Pravir Chandra]
  15. 15. © Copyright 2013 Denim Group - All Rights Reserved Review of Existing Secure SDLC Efforts [This slide content © Pravir Chandra]
  16. 16. © Copyright 2013 Denim Group - All Rights Reserved CLASP •  Comprehensive, Lightweight Application Security Process –  Centered around 7 AppSec Best Practices –  Cover the entire software lifecycle (not just development) •  Adaptable to any development process –  Defines roles across the SDLC –  24 role-based process components –  Start small and dial-in to your needs [This slide content © Pravir Chandra]
  17. 17. © Copyright 2013 Denim Group - All Rights Reserved Microsoft SDL •  Built internally for MS software •  Extended and made public for others •  MS-only versions since public release [This slide content © Pravir Chandra]
  18. 18. © Copyright 2013 Denim Group - All Rights Reserved Touchpoints •  Gary McGraw s and Cigital s model [This slide content © Pravir Chandra]
  19. 19. © Copyright 2013 Denim Group - All Rights Reserved Lessons Learned •  Microsoft SDL –  Heavyweight, good for large ISVs •  Touchpoints –  High-level, not enough details to execute against •  CLASP –  Large collection of activities, but no priority ordering •  ALL: Good for experts to use as a guide, but hard for non- security folks to use off the shelf [This slide content © Pravir Chandra]
  20. 20. © Copyright 2013 Denim Group - All Rights Reserved Drivers for a Maturity Model •  An organization s behavior changes slowly over time –  Changes must be iterative while working toward long-term goals •  There is no single recipe that works for all organizations –  A solution must enable risk-based choices tailor to the organization •  Guidance related to security activities must be prescriptive –  A solution must provide enough details for non-security-people •  Overall, must be simple, well-defined, and measurable [This slide content © Pravir Chandra]
  21. 21. © Copyright 2013 Denim Group - All Rights Reserved Therefore, a Viable Model Must... •  Define building blocks for an assurance program –  Delineate all functions within an organization that could be improved over time •  Define how building blocks should be combined –  Make creating change in iterations a no-brainer •  Define details for each building block clearly –  Clarify the security-relevant parts in a widely applicable way (for any org doing software dev) [This slide content © Pravir Chandra]
  22. 22. © Copyright 2013 Denim Group - All Rights Reserved Understanding the Model [This slide content © Pravir Chandra]
  23. 23. © Copyright 2013 Denim Group - All Rights Reserved SAMM Business Functions •  Start with the core activities tied to any organization performing software development •  Named generically, but should resonate with any developer or manager [This slide content © Pravir Chandra]
  24. 24. © Copyright 2013 Denim Group - All Rights Reserved SAMM Security Practices •  From each of the Business Functions, 3 Security Practices are defined •  The Security Practices cover all areas relevant to software security assurance •  Each one is a silo for improvement [This slide content © Pravir Chandra]
  25. 25. © Copyright 2013 Denim Group - All Rights Reserved Under Each Security Practice •  Three successive Objectives under each Practice define how it can be improved over time –  This establishes a notion of a Level at which an organization fulfills a given Practice •  The three Levels for a Practice generally correspond to: –  (0: Implicit starting point with the Practice unfulfilled) –  1: Initial understanding and ad hoc provision of the Practice –  2: Increase efficiency and/or effectiveness of the Practice –  3: Comprehensive mastery of the Practice at scale [This slide content © Pravir Chandra]
  26. 26. © Copyright 2013 Denim Group - All Rights Reserved Check Out This One... [This slide content © Pravir Chandra]
  27. 27. © Copyright 2013 Denim Group - All Rights Reserved Per Level, SAMM Defines... •  Objective •  Activities •  Results •  Success Metrics •  Costs •  Personnel •  Related Levels [This slide content © Pravir Chandra]
  28. 28. © Copyright 2013 Denim Group - All Rights Reserved Approach to Iterative Improvement •  Since the twelve Practices are each a maturity area, the successive Objectives represent the building blocks for any assurance program •  Simply put, improve an assurance program in phases by: 1. Select security Practices to improve in next phase of assurance program 2. Achieve the next Objective in each Practice by performing the corresponding Activities at the specified Success Metrics [This slide content © Pravir Chandra]
  29. 29. © Copyright 2013 Denim Group - All Rights Reserved Applying the Model [This slide content © Pravir Chandra]
  30. 30. © Copyright 2013 Denim Group - All Rights Reserved Conducting Assessments •  SAMM includes assessment worksheets for each Security Practice [This slide content © Pravir Chandra]
  31. 31. © Copyright 2013 Denim Group - All Rights Reserved Assessment Process •  Supports both lightweight and detailed assessments •  Organizations may fall in between levels (+) [This slide content © Pravir Chandra]
  32. 32. © Copyright 2013 Denim Group - All Rights Reserved Creating Scorecards •  Gap analysis –  Capturing scores from detailed assessments versus expected performance levels •  Demonstrating improvement –  Capturing scores from before and after an iteration of assurance program build-out •  Ongoing measurement –  Capturing scores over consistent time frames for an assurance program that is already in place [This slide content © Pravir Chandra]
  33. 33. © Copyright 2013 Denim Group - All Rights Reserved Roadmap Templates •  To make the building blocks usable, SAMM defines Roadmaps templates for typical kinds of organizations –  Independent Software Vendors –  Online Service Providers –  Financial Services Organizations –  Government Organizations •  Organization types chosen because –  They represent common use-cases –  Each organization has variations in typical software- induced risk –  Optimal creation of an assurance program is different for each [This slide content © Pravir Chandra]
  34. 34. © Copyright 2013 Denim Group - All Rights Reserved Building Assurance Programs [This slide content © Pravir Chandra]
  35. 35. © Copyright 2013 Denim Group - All Rights Reserved Case Studies •  A full walkthrough with prose explanations of decision-making as an organization improves •  Each Phase described in detail – Organizational constraints – Build/buy choices •  One case study exists today, several more in progress using industry partners [This slide content © Pravir Chandra]
  36. 36. © Copyright 2013 Denim Group - All Rights Reserved Exploring the Model s Levels and Activities [This slide content © Pravir Chandra]
  37. 37. © Copyright 2013 Denim Group - All Rights Reserved The SAMM 1.0 release [This slide content © Pravir Chandra]
  38. 38. © Copyright 2013 Denim Group - All Rights Reserved SAMM and the Real World [This slide content © Pravir Chandra]
  39. 39. © Copyright 2013 Denim Group - All Rights Reserved SAMM History •  Beta released August 2008 –  1.0 released March 2009 •  Originally funded by Fortify –  Still actively involved and using this model •  Released under a Creative Commons Attribution Share-Alike license •  Donated to OWASP and is currently an OWASP project [This slide content © Pravir Chandra]
  40. 40. © Copyright 2013 Denim Group - All Rights Reserved Expert Contributions •  Built based on collected experiences with 100 s of organizations –  Including security experts, developers, architects, development managers, IT managers [This slide content © Pravir Chandra]
  41. 41. © Copyright 2013 Denim Group - All Rights Reserved Industry Support •  Several more case studies underway [This slide content © Pravir Chandra]
  42. 42. © Copyright 2013 Denim Group - All Rights Reserved The OpenSAMM Project •  http://www.opensamm.org •  Dedicated to defining, improving, and testing the SAMM framework •  Always vendor-neutral, but lots of industry participation –  Open and community driven •  Targeting new releases every 6-12 months •  Change management process –  SAMM Enhancement Proposals (SEP) [This slide content © Pravir Chandra]
  43. 43. © Copyright 2013 Denim Group - All Rights Reserved OpenSAMM Resources •  Nick Coblentz - SAMM Assessment Interview Template (xls/ googledoc) •  Christian Frichot - SAMM Assessment Spreadsheet (xls) •  Colin Watson - Roadmap Chart Template (xls) •  Jim Weiler - MS Project Plan Template (mpp) •  Denim Group – ThreadFix (web application) [This slide content © Pravir Chandra]
  44. 44. © Copyright 2013 Denim Group - All Rights Reserved Quick Recap on Using SAMM •  Evaluate an organization s existing software security practices •  Build a balanced software security assurance program in well- defined iterations •  Demonstrate concrete improvements to a security assurance program •  Define and measure security-related activities throughout an organization [This slide content © Pravir Chandra]
  45. 45. © Copyright 2013 Denim Group - All Rights Reserved Discussion: Tools •  Commercial tools in use? •  Free / open source tools in use? •  What tool implementations have been successful? •  What tool implementations have been less successful? •  Why? •  What is your interest in using open source tools for software security? 44
  46. 46. © Copyright 2013 Denim Group - All Rights Reserved Why Use Free / Open Source Tools? •  They’re FREE! –  No per-user license fees •  Can be customized –  Don’t like the way a feature works – improve it! •  Community support –  Not a tremendous amount of public resources for commercial tools 45
  47. 47. © Copyright 2013 Denim Group - All Rights Reserved Potential Disadvantages of Free Tools •  Often less mature than commercial analogs –  Application and software security are new when compared to other disciplines –  Open source tools lag in a number of areas •  Task-focused rather than program-focused –  Geared toward testing a single application rather than a portfolio of applications 46
  48. 48. © Copyright 2013 Denim Group - All Rights Reserved Discussion: Organizational Concerns •  Does your organization allow the use of open source tools? •  What restrictions are placed on the use of free / open source tools? –  Only certain licenses allowed –  Each tool / library must have a sponsor 47
  49. 49. © Copyright 2013 Denim Group - All Rights Reserved Open Source Tool Usage – Best Practices •  Reach out to the project lead / development community –  How responsive are they? –  Good to have a relationship for escalating issues •  Consider commercial support –  If available –  When it makes sense •  Give back –  Installation instructions for your platform(s) –  Other documentation opportunities –  Code updates – if possible / desirable 48
  50. 50. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix - Overview •  ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. •  Freely available under the Mozilla Public License (MPL) •  Hosted at Google Code: http://code.google.com/p/threadfix/ 49
  51. 51. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix - Installation •  2.0M1 Available as ZIP archive –  Including ThreadFix, Apache Tomcat and HSQL database –  Designed for easy installation –  Limited performance and capacity •  1.2 Available as a pre-installed Linux VM –  Including ThreadFix, Apache Tomcat and MySQL database –  Can also be custom-installed 50
  52. 52. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix - Installation •  Pre-requisites (for your xubuntu VM) –  Java 1.7 JRE installed via: •  sudo apt-get install openjdk-7-jre •  java -version •  Instructions (from ~/Desktop/WorkingDir): –  Unzip ThreadFix •  unzip ~/Downloads/ThreadFix_2_0M1.zip –  Make threadfix.sh executable •  cd ThreadFix •  chmod u+x threadfix.sh –  Set JAVA_HOME environment variable •  export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-i386 –  Run ThreadFix •  ./threadfix.sh start –  Open ThreadFix via browser •  Navigate to https://localhost:8443/threadfix (you will have to confirm the HTTPS exception) 51
  53. 53. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix – Usage (The Basics) •  Create a Team –  Login with credentials “user” and “password” –  Click “Get started” link –  Create a Team called “My Team” •  Create an Application –  Click “Add Application” –  Create an Application called “My Application” –  Use URL http://www.myapp.com/ and criticality “Low” –  Don’t worry about “Defect Tracker” or “WAF” right now •  Upload a Scan for the Application –  Click “Upload Scan” –  Upload file WorkingDir/ThreadFix/test-scans/w3af-demo-site.xml 52
  54. 54. © Copyright 2013 Denim Group - All Rights Reserved OpenSAMM: Governance •  Strategy and Metrics •  Policy and Compliance •  Education and Guidance 53
  55. 55. © Copyright 2013 Denim Group - All Rights Reserved Governance: Strategy and Metrics •  Overall strategic direction of the assurance program •  How are processes instrumented? •  How are measurements taken? 54
  56. 56. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix: Reporting •  Can be done at multiple levels: –  Enterprise-wide –  Team –  Individual application •  Reports for: –  Vulnerability count trending –  Progress – vulnerability resolution and timelines –  Scanner effectiveness –  Frequency of scanning across the portfolio •  Will revisit ThreadFix reporting later in the course for examples 55
  57. 57. © Copyright 2013 Denim Group - All Rights Reserved Governance: Policy and Compliance •  What compliance regimes are your organizations and applications subject to? –  PCI –  HIPAA –  SOX •  What policies will you put in place to meet these obligations? 56
  58. 58. © Copyright 2013 Denim Group - All Rights Reserved Governance: Education and Guidance •  Software security requires the input of a variety of stakeholders •  Software security is a relatively new area of study –  Many of the involved parties (i.e. software developers) have never been exposed •  You cannot hold people responsible if they have not been properly trained 57
  59. 59. © Copyright 2013 Denim Group - All Rights Reserved Governance: Education and Guidance •  Variety of potential consumers –  Executives / Management –  Developers –  Quality Assurance (QA) –  Security Testers •  Need for information at several levels –  Introduction / overview –  Topic-specific –  Technology-specific •  Several ways to deliver guidance and training –  Self-serve portal –  Instructor-led training –  E-Learning 58
  60. 60. © Copyright 2013 Denim Group - All Rights Reserved OWASP Development Guide •  Provides guidance to developers on how to build secure applications •  Attempts to cover broad topics with some technology-specific examples •  Several translations: English, Spanish, Japanese •  Originally released in 2001, revised in 2005 –  Somewhat dated •  Currently undergoing a significant rewrite •  Main site: https://www.owasp.org/index.php/OWASP_Guide_Project 59
  61. 61. © Copyright 2013 Denim Group - All Rights Reserved OWASP Cheat Sheets •  Provide targeted, consumable guidance on specific topics or technologies –  Authentication –  Transport layer protection –  Input validation –  Session management –  And so on… •  Tend to be “fresher” than the related sections in the Development Guide –  Also easier to provide to developers for use •  Main site: https://www.owasp.org/index.php/Cheat_Sheets 60
  62. 62. © Copyright 2013 Denim Group - All Rights Reserved OWASP Secure Coding Practices Quick Reference Guide •  Technology agnostic set of general software security coding practices •  Consumable –  ~17 pages long –  Checklist format •  Main site: https://www.owasp.org/index.php/ OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide 61
  63. 63. © Copyright 2013 Denim Group - All Rights Reserved OWASP Secure Coding Practices Quick Reference Guide •  Covered topics: –  Input validation –  Output encoding –  Authentication and password management –  Session management –  Access control –  Cryptographic practices –  Error handling and logging –  Data protection –  Communication security –  Database security –  File management –  Memory management –  General coding practices 62
  64. 64. © Copyright 2013 Denim Group - All Rights Reserved OWASP WebGoat - Overview •  Deliberately insecure JEE web application •  Presented as a series of lessons –  SQL injection –  Cross-site Scripting (XSS) –  Cross-site Request Forgery (CSRF) –  Hidden form manipulation –  And so on… •  Main site: https://www.owasp.org/index.php/ Category:OWASP_WebGoat_Project 63
  65. 65. © Copyright 2013 Denim Group - All Rights Reserved OWASP WebGoat - Installation •  Available as a self-contained ZIP archive –  WebGoat, Apache Tomcat •  Instructions (from ~/Desktop/WorkingDir): –  Unzip WebGoat •  Unzip ~/Downloads/WebGoat-5.4-OWASP_Standard_Win32.zip –  Make webgoat.sh executable •  cd WebGoat-5.4/ •  chmod u+x webgoat.sh –  Make one tiny little cheating change in webgoat.sh •  Delete line 20 and 24 to short-circuit the JVM version checking –  Run WebGoat •  ./webgoat.sh start8080 •  Could also run “./webgoat.sh start80” to start on port 80 –  Navigate to http://localhost:8080/WebGoat/attack (case matters) 64
  66. 66. © Copyright 2013 Denim Group - All Rights Reserved OWASP WebGoat - Usage •  WebGoat consists of different “lessons” to be passed –  Each demonstrates a vulnerability or some other aspect of web application security •  Hints – Show hints about how to solve the lesson •  Show Params – Toggle rendering request parameters in the page •  Show Cookies – Toggle rendering request cookies in the page •  Lesson Plan – Explain the purpose of the lesson •  Show Java – Show the Java source code of the lesson in a window •  Solution – Show the solution to the lesson in a window 65
  67. 67. © Copyright 2013 Denim Group - All Rights Reserved WebGoat - Example •  Navigate to General -> Http Basics •  Click on: –  Hints –  Show Params –  Show Cookies –  Lesson Plan –  Show Java –  Solution •  Enter your name in the field and click “Go!” •  Navigate to Admin Functions -> Report Card –  Shows lessons completed, hints used 66
  68. 68. © Copyright 2013 Denim Group - All Rights Reserved wavsep - Overview •  Web Application Vulnerability Scanner Evaluation Project (wavsep) •  “A vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners. This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners” •  Used for many benchmarks. •  Check out http://sectooladdict.blogspot.co.il/2012/07/2012-web-application- scanner-benchmark.html •  Main site: http://code.google.com/p/wavsep/ 67
  69. 69. © Copyright 2013 Denim Group - All Rights Reserved wavsep - Installation •  Install MySQL (wavsep uses it as its database) –  sudo apt-get install mysql-server •  Install wavsep –  unzip wavsep-v1.2-war-linux.zip –  Copy wavsep.war into WebGoat-5.4/tomcat/webapps/ directory –  http://localhost:8080/wavsep/wavsep-install/install.jsp 68
  70. 70. © Copyright 2013 Denim Group - All Rights Reserved wavsep - Usage •  Navigate your browser to http://localhost:8080/wavsep/ •  Run scanners against the various subdirectories / URLs –  There are no actual links to /wavsep/index-active.jsp and /wavsep/index-passive.jsp –  You will need to let the scanners know they are there 69
  71. 71. © Copyright 2013 Denim Group - All Rights Reserved OpenSAMM: Construction •  Threat Assessment •  Security Requirements •  Secure Architecture 70
  72. 72. © Copyright 2013 Denim Group - All Rights Reserved Construction: Threat Assessment •  Identify and characterize potential attacks •  These will determine investment level and required countermeasures •  WHO do you need to be worried about? –  Nation-states –  Chaotic actors –  Organized crime –  And so on… 71
  73. 73. © Copyright 2013 Denim Group - All Rights Reserved Construction: Security Requirements •  Up-front determination of required security properties of the system •  Drive future activities 72
  74. 74. © Copyright 2013 Denim Group - All Rights Reserved Construction: Secure Architecture •  Use the design process to: –  Build in security controls –  Avoid injecting security issues •  Threat modeling •  Architectural risk analysis 73
  75. 75. © Copyright 2013 Denim Group - All Rights Reserved ESAPI - Overview •  Enterprise Security API (ESAPI) •  Open source web application security control library •  Several languages available: JavaEE, .NET, PHP, Classic ASP, etc –  WIDE variation in maturity and support –  Stick to Java unless you are very brave (and even then) •  Main site: https://www.owasp.org/index.php/ Category:OWASP_Enterprise_Security_API 74
  76. 76. © Copyright 2013 Denim Group - All Rights Reserved ESAPI – Installation (Java) •  Instructions (from ~/Desktop/WorkingDir): –  Create a container directory and relocate there •  mkdir ESAPI •  cd ESAPI –  Unpack •  tar xzvf ~/Downloads/esapi-2.0.1-dist.tar.gz –  To use in a project, copy the ESAPI and its supporting JARS into your lib/ directory •  You might not need servlet-api-2.4.jar if your project already contains those classes –  Set up ESAPI.properties file •  Logging configuration •  Encryption master keys •  See documentation/esapi4java-core-2.0-install-guide.pdf –  Use in specific build systems and development environments –  Step-by-step instructions 75
  77. 77. © Copyright 2013 Denim Group - All Rights Reserved Exercise: Fixing XSS Vulnerabilities with ESAPI •  To Use: –  Follow the installation guide –  Must create a folder (.esapi) to store your configuration and preferences •  Get access to library: –  Add all the support jars (31) to your project –  Remove repeated jars –  Add esapi-2.0_rc10.jar to your project <%@ page import="org.owasp.esapi.ESAPI, org.owasp.esapi.Encoder" %> •  Make calls to encode tainted data: –  ESAPI.encoder().encodeForHTML() –  ESAPI.encoder().encodeForHTMLAttribute() 76
  78. 78. © Copyright 2013 Denim Group - All Rights Reserved ESAPI – Possible Challenges (Java) •  ESAPI Java has a LOT of dependencies (~30 JARs) •  Can cause configuration management and licensing issues for some organizations •  Potential versioning issues 77
  79. 79. © Copyright 2013 Denim Group - All Rights Reserved Microsoft Web Protection Library - Overview •  Set of .NET assemblies which help protect web applications •  AntiXSS encoding library –  Encoding functions for HTML, HTML attributes, XML, etc •  HTML sanitization routines (for “safely” accepting rich content) •  Security Runtime Engine (SRE) –  Provides runtime protection against SQL injection and Cross-Site Scripting (XSS) •  Sites: –  http://wpl.codeplex.com/ –  https://www.microsoft.com/en-us/download/details.aspx?id=28589 78
  80. 80. © Copyright 2013 Denim Group - All Rights Reserved Microsoft Web Protection Library - Cautions •  A security vulnerability was identified in the 4.0 release •  There have been complaints about the HTML sanitization in the 4.2.1 release being broken with little follow-up from Microsoft •  Older (WPL 4.0) binaries should be available from http://ajaxcontroltoolkit.codeplex.com/releases/view/76976 79
  81. 81. © Copyright 2013 Denim Group - All Rights Reserved Microsoft Web Protection Library - Installation •  Run the MSI installer •  To use: –  Import reference to AntiXSS.dll (optionally include HtmlSanitizationLibrary.dll) •  Found in C:Program Files (x86)Microsoft Information SecurityAntiXSS Library v4.0 –  Get access to library: •  In code: –  using Microsoft.Security.Application; •  In ASPX page: –  <%@ Import Namespace="Microsoft.Security.Application" %> –  Make call to encode tainted data: •  AntiXss.HtmlEncode() •  AntiXss.HtmlAttributeEncode() •  And so on… 80
  82. 82. © Copyright 2013 Denim Group - All Rights Reserved OpenSAMM: Verification •  Design Review •  Code Review •  Security Testing 81
  83. 83. © Copyright 2013 Denim Group - All Rights Reserved Application Security Assessments •  The challenges and goals of an assessment •  What an assessment must accomplish •  The assessment approach –  Identification –  Baseline Review and Testing –  Threat Identification –  Targeted Review and Testing –  Reporting 82
  84. 84. © Copyright 2013 Denim Group - All Rights Reserved The Challenges and Goals of Software Assessments •  Identify the application’s vulnerabilities and the risks they entail •  Provide the greatest value for the time spent •  Provide application owners with detailed vulnerability reports and remediation recommendations –  Provide actionable reports to the application team 83
  85. 85. © Copyright 2013 Denim Group - All Rights Reserved How Assessors can Support Those Goals •  Strategic Message –  The assessments must be conducted efficiently with the majority of the time spent on performing the assessments. This will increase the coverage of the assessments and the depth and quality of product delivered the application owners. Scheduling and preparation of assessments should be conducted in an almost production line approach. •  Testing must... –  Be integral to the development team’s own ongoing efforts –  Cover the “breadth” and “depth” of the functionality –  Reflect experience with the technology and business •  Reporting must… –  Clearly communicate risk, both business and technical –  Allow trouble-free integration with the business strategic assets –  Guide and justify remediation efforts 84
  86. 86. © Copyright 2013 Denim Group - All Rights Reserved The Output of an Assessment Engagement Should… •  Summarize vulnerability discoveries and known risk •  Provide adequate detail about discovered vulnerabilities –  Where in the application behavior or code the vulnerability resides –  The implied security risk –  Any mitigating factors for exploitation •  Requires high-level credentials to exploit •  Requires social engineering to exploit •  etc. •  Rate the vulnerabilities to help prioritize remediation –  DREAD works well for this as it accounts for damage potential, reproducibility, affected users, etc. •  Provide remediation criteria and recommended approaches 85
  87. 87. © Copyright 2013 Denim Group - All Rights Reserved The General Assessment Approach •  Identification –  Help identify what applications have highest priority to assess •  Preparation –  Obtain requisite code and/or access •  Threat Modeling –  Data flow, functional security, abuse cases •  Baseline Review and Testing –  Account for risks inherent to the technology and common features –  Commercial scanning tools with manual auditing •  Targeted Testing –  Account for identified threats, data flow, abuse cases –  Follow up with suspect behavior in the baseline review and testing •  Reporting –  Rate vulnerabilities –  Provide remediation recommendations 86
  88. 88. © Copyright 2013 Denim Group - All Rights Reserved Verification: Design Review •  Incorporate security into review of architecture/design materials •  Were the previous assurance activities successful? 87
  89. 89. © Copyright 2013 Denim Group - All Rights Reserved Microsoft Threat Analysis and Modeling Tool - Overview •  Create threat models for your applications •  Identify potential issues •  Plan for mitigations •  Requires Visio 2007 or 2010 •  Main site: http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx 88
  90. 90. © Copyright 2013 Denim Group - All Rights Reserved Microsoft Threat Analysis and Modeling Tool - Installation •  Run ThreatModelingToolSetup318.msi •  Software should be installed to C:Program FilesMicrosoftSDL Threat Modeling Tool 89
  91. 91. © Copyright 2013 Denim Group - All Rights Reserved Microsoft Threat Analysis and Modeling Tool - Example •  Create a Threat Model for a mobile application 90
  92. 92. © Copyright 2013 Denim Group - All Rights Reserved Approaches for Identifying Threats •  Use Cases for Business –  Useful for identifying flaws with specific application features •  Data Flow for Architecture –  What threats can we identify looking at the application’s data flow? –  The whole system’s data stores, services, processes, etc. –  The interaction among those components •  Functional Security –  Here are the security features. How could an attacker defeat them? •  Attacker’s Goals for Threat Trees –  If you are an attacker, what would you want to accomplish? –  How would you go about achieving the malicious goal? –  Useful for identifying any erroneous security assumptions •  No one approach is perfect – these are essentially brain storming techniques 91
  93. 93. © Copyright 2013 Denim Group - All Rights Reserved Mapping Threats to Data Flow Asset Types Threat  Type   External   Interactor   Process   Data  Flow   Data  Store   S  –  Spoofing   Yes   Yes   T  –  Tampering   Yes   Yes   Yes   R  –  Repudia4on   Yes   Yes   Yes   I  –  Informa4on  Disclosure   Yes   Yes   Yes   D  –  Denial  of  Service   Yes   Yes   Yes   E  –  Eleva4on  of  Privilege   Yes   92
  94. 94. © Copyright 2013 Denim Group - All Rights Reserved Typical Mobile Threats •  Spoofing: Users to the Mobile Application •  Spoofing: Web Services to Mobile Application •  Tampering: Mobile Application •  Tampering: Device Data Stores •  Disclosure: Device Data Stores or Residual Data •  Disclosure: Mobile Application to Web Service •  Denial of Service: Mobile Application •  Elevation of Privilege: Mobile Application or Web Services User Local  App   Storage Mobile   Application Mobile  Web   Services Device   Keychain Main Site Pages
  95. 95. © Copyright 2013 Denim Group - All Rights Reserved Spoofing: Users to the Mobile Application •  Borrowed Device •  Stolen Device •  Other Malicious Application Attacker Local  App   Storage Mobile   Application Device   Keychain
  96. 96. © Copyright 2013 Denim Group - All Rights Reserved Spoofing: Attacker to Mobile Web Services •  Attacks against Mobile Web Services User Mobile   Application Mobile  Web  Services Attacker
  97. 97. © Copyright 2013 Denim Group - All Rights Reserved Spoofing: Web Services to Mobile Application •  Borrowed Device •  Other Malicious Application User Mobile   Application Mobile  Web  Services Malicious Host
  98. 98. © Copyright 2013 Denim Group - All Rights Reserved Tampering: Mobile Application •  Borrowed/Stolen Device •  Other Malicious Application User Local  App   Storage Tampered   Application Device   Keychain
  99. 99. © Copyright 2013 Denim Group - All Rights Reserved Disclosure: Device Data Stores or Residual Data •  Borrowed/Stolen Device •  Malicious Application Functionality •  Other Malicious Application •  Attacks from Mobile Web Services User Local  SQLIte   Storage Mobile   Application Device   Keychain
  100. 100. © Copyright 2013 Denim Group - All Rights Reserved Disclosure: Mobile Application to Web Service •  Attacks from Local Network •  Other Malicious Application User Mobile   Application Mobile  Web  Services Attacker
  101. 101. © Copyright 2013 Denim Group - All Rights Reserved Other Data-Flow Threats •  Denial of Service •  Elevation of Privilege User Local  App   Storage Mobile   Application Device   Keychain USAA Member Local  App   Storage Mobile   Application Device   Keychain Attacker
  102. 102. © Copyright 2013 Denim Group - All Rights Reserved Verification: Code Review •  Review software artifacts “at-rest” •  Can be both automated and manual •  Reach and frequency –  How much of your software is subject to review? –  How thorough is the analysis? –  How often is it performed? 101
  103. 103. © Copyright 2013 Denim Group - All Rights Reserved Static Analysis •  Source Code Scanning •  Manual Code Reviews •  Advantages –  Identifies flaws during integration, when it is easier to address issues –  Developers can identify flaws in their own code before checking it in –  Many projects already have a code review process in-place •  Disadvantages –  Freeware tools often do not address security well (specifically dataflow analysis) –  Licensed tools are a significant investment –  Manual review can be unstructured and time-consuming without licensed tools –  Not ideal for discovering logical vulnerabilities 102
  104. 104. © Copyright 2013 Denim Group - All Rights Reserved Static Analysis Tools •  Commercial Tools –  Fortify (now HP) –  Ounce (now IBM Rational) –  Checkmarx –  Veracode (SaaS) •  Freeware Tools –  RATS/Flawfinder - C/C++, Python, PHP –  Findbugs – Java –  PMD - Java –  FxCop - .NET –  Brakeman – Ruby on Rails 103
  105. 105. © Copyright 2013 Denim Group - All Rights Reserved FindBugs - Overview •  Freely-available binary static analysis tool for Java •  Main site: http://findbugs.sourceforge.net/ 104
  106. 106. © Copyright 2013 Denim Group - All Rights Reserved FindBugs - Installation •  Instructions (from ~/Desktop/WorkingDir): –  Unpack the distribution •  tar xzvf ~/Downloads/findbugs-2.0.3-rc1.tar.gz •  Should unpack into findbugs-2.0.3-rc1/ •  Can also install as an Eclipse plugin: –  Plugin update site: http://findbugs.cs.umd.edu/eclipse 105
  107. 107. © Copyright 2013 Denim Group - All Rights Reserved FindBugs – Usage (GUI) •  Run the FindBugs GUI –  bin/fb gui •  Create a new project –  File -> New Project –  Enter project name “WebGoat” –  Enter classpath for analysis “~/Desktop/WorkingDir/WebGoat-5.4/tomcat/ webapps/WebGoat.war” –  Use remaining defaults and run analysis •  Notice the error messages but ignore for now and look through the results 106
  108. 108. © Copyright 2013 Denim Group - All Rights Reserved FindBugs – Usage (GUI) •  But can we get rid of those error messages? •  Reconfigure the project –  File -> Reconfigure –  Add supporting JARs •  JARs in tomcat/bin/ •  JARs in tomcat/lib/ •  JARs in tomcat/webapps/WebGoat/WEB-INF/lib –  CAN’T JUST SELECT THE DIRECTORIES – MUST SELECT ALL THE JARS •  Re-run the analysis 107
  109. 109. © Copyright 2013 Denim Group - All Rights Reserved FindBugs – Usage (GUI) •  The reporting seems to be lacking details. Can we link to the source? •  Install subversion –  sudo apt-get install subversion •  Download the appropriate source code –  svn checkout http://webgoat.googlecode.com/svn/tags/webgoat-5.4 webgoat-src •  Reconfigure the project –  File -> Reconfigure –  Add source directory •  ~/WorkingDir/WebGoat-5.4/webgoat-src/src/main/java •  Now you should be able to see the WebGoat source files •  Save the results as a FindBugs Project (fbp) file –  bin/ directory –  FBP files can be sensitive to relative paths if moved 108
  110. 110. © Copyright 2013 Denim Group - All Rights Reserved FindBugs – Usage Notes •  So what did we learn about FindBugs –  FindBugs has to know about the binaries it is supposed to analyze –  FindBugs gives us better results if we include supporting libraries –  FindBugs gives us better reporting if we include source code •  These lessons translate to most static analysis tools (commercial and open source) 109
  111. 111. © Copyright 2013 Denim Group - All Rights Reserved FindBugs – What Has It Told Us? •  There are lots of results –  But not all of them have to do with security •  There is a Security top-level category –  Some good stuff in here (if perhaps a little noisy) •  What else might we want to look at? –  Correctness –  Bad practice –  Malicious code vulnerability –  Multithreaded correctness –  Performance 110
  112. 112. © Copyright 2013 Denim Group - All Rights Reserved FindBugs – Usage (Command Line) •  Hopefully you saved a .fbp file via the GUI… •  bin/fb analyze –project <projectname> –  Runs the same FindBugs analysis we did before but prints the results to stdout •  bin/fb analyze –project <projectname> -xml:withMessages –output <outputfile> –  Runs the same FindBugs analysis we did before but stores results with human- readable descriptions in the indicated XML file •  Documentation for command-line switches: http://findbugs.sourceforge.net/manual/ running.html#commandLineOptions 111
  113. 113. © Copyright 2013 Denim Group - All Rights Reserved FxCop - Overview •  Free static analysis tool from Microsoft •  Integrated into Visual Studio •  Similar capabilities to FindBugs (but for .NET) •  Blog: http://blogs.msdn.com/b/codeanalysis/ 112
  114. 114. © Copyright 2013 Denim Group - All Rights Reserved CAT.NET - Overview •  Free static analysis tool from Microsoft •  Does dataflow analysis (rare among the free tools) •  Version 1: http://www.microsoft.com/en-us/download/details.aspx?id=19968 •  Version 2: http://blogs.msdn.com/b/securitytools/archive/2010/02/04/cat-net-2-0- beta.aspx •  Dinis Cruz has done some interesting work with CAT.NET and O2 –  https://www.owasp.org/index.php/OWASP_O2_Platform/Microsoft/CAT.NET •  Plans for future development are not clear 113
  115. 115. © Copyright 2013 Denim Group - All Rights Reserved Brakeman - Overview •  Security scanner for Ruby on Rails applications •  Static analysis •  Finds things like SQL injection and XSS –  Also checks for certain CVE-type vulnerabilities •  Main site: http://brakemanscanner.org/ 114
  116. 116. © Copyright 2013 Denim Group - All Rights Reserved Brakeman - Installation •  Install prerequisites: –  sudo apt-get install ruby1.8 –  sudo apt-get install rubygems •  Install scanner: –  sudo gem install brakeman •  Usage: –  brakeman <path-of-rails-site> –  brakeman –o <output-file> <path-of-rails-site> 115
  117. 117. © Copyright 2013 Denim Group - All Rights Reserved Brakeman - Using •  Try some test sites •  But first install git: –  sudo apt-get install git •  Sites to try: –  RailsGoat •  http://railsgoat.cktricky.com/ •  git clone https://github.com/OWASP/railsgoat.git –  Hacme Casino •  git clone git://github.com/spinkham/Hacme-Casino 116
  118. 118. © Copyright 2013 Denim Group - All Rights Reserved Agnitio - Overview •  Tool for supporting manual code reviews •  Set of checklists to verify security controls •  Some grep-like search capabilities •  Main site: http://sourceforge.net/projects/agnitiotool/ 117
  119. 119. © Copyright 2013 Denim Group - All Rights Reserved DependencyCheck – Overview •  Checks for out-of-date JAR libraries with known CWE issues •  Looks beyond JAR hashes •  We used it to find a vulnerable library used by ThreadFix –  Apache POI library –  http://web.nvd.nist.gov/view/vuln/search-results?cpe=cpe%3A%2Fa%3Aapache %3Apoi%3A3.7&page_num=0&cid=1 •  Main site: https://github.com/jeremylong/DependencyCheck 118
  120. 120. © Copyright 2013 Denim Group - All Rights Reserved DependencyCheck - Installation •  Install dependencies: –  sudo apt-get install git (should have already done this) –  sudo apt-get update –  sudo apt-get install maven (we need Maven 3) –  sudo apt-get install openjdk-7-jdk (need a JDK – previously we only installed a JRE) •  Download code: –  git clone git://github.com/jeremylong/DependencyCheck.git •  Build: –  cd DependencyCheck –  mvn package 119
  121. 121. © Copyright 2013 Denim Group - All Rights Reserved DependencyCheck – Example •  Running DependencyCheck –  java –jar dependency-check-1.0.5-SNAPSHOT.jar –a WebGoat –out . –s <path-to-JARs> –  The first time it runs it needs to download NVD data from NIST which can take a while –  Will attempt to check for new NVD data •  Run against –  ThreadFix –  WebGoat –  OLAT –  Other Java-based applications 120
  122. 122. © Copyright 2013 Denim Group - All Rights Reserved Verification: Security Testing •  Runtime testing for security vulnerabilities •  Web applications: automated scanners, web proxies •  Other applications: fuzzing, protocol analysis 121
  123. 123. © Copyright 2013 Denim Group - All Rights Reserved Dynamic Analysis •  Integrate abuse cases into unit and automated testing •  Use application scanning tools •  Perform a dedicated penetration test by security staff or a 3rd party •  Advantages –  Generally more time-efficient than manual code review –  Good for discovering logical vulnerabilities •  Disadvantages –  Requires fully functional features to test –  Security staff may not have application security training or experience –  Scanning tools may have difficulty with unusual applications 122
  124. 124. © Copyright 2013 Denim Group - All Rights Reserved Dynamic Analysis Tools •  Automated Tools –  IBM Rational AppScan –  HP WebInspect –  Acunetix Vulnerability Scanner –  Netsparker •  Manual Testing –  Zed Attack Proxy –  Burp –  Google RatProxy –  Browser plugins –  Testing Scripts –Watir –  Load and Performance testing tools – JMeter, Grinder 123
  125. 125. © Copyright 2013 Denim Group - All Rights Reserved Arachni - Overview •  Open source automated web application scanner •  Written in Ruby •  Can be deployed in a “grid” format for faster scanning •  Uses several different types of analysis to identify vulnerabilities –  Fuzzing –  Taint analysis –  Time analysis •  Main site: http://arachni-scanner.com/ 124
  126. 126. © Copyright 2013 Denim Group - All Rights Reserved Arachni – Installation •  Unpack: –  tar xzvf arachni-0.4.5.2-0.4.2.1-linux-i686.tar.gz •  Usage: –  arachni –h –  arachni http://site-to-test.com/ –  arachni -fv http://site-to-test.com/ --report=html:outfile=my_report.html 125
  127. 127. © Copyright 2013 Denim Group - All Rights Reserved w3af - Overview •  Open source automated web application scanner •  Written in Python •  Main site: http://w3af.sourceforge.net/ 126
  128. 128. © Copyright 2013 Denim Group - All Rights Reserved w3af - Installation •  Recommended *NIX install: –  git clone https://github.com/andresriancho/w3af.git –  cd w3af –  ./w3af_gui •  Now fix the dependencies: –  apt-get install python-setuptools python-pip graphviz python2.7-dev libsqlite3-dev libxslt1-dev python-gtksourceview2 libxml2-dev python-pip –  Still need some Python stuff –  apt-get install libssl-dev (otherwise one of the dependency compiles will fail) –  /tmp/w3af_dependency_install.sh (make it executable and run sudo) (great security practice, by the way…) 127
  129. 129. © Copyright 2013 Denim Group - All Rights Reserved OWASP ZAProxy - Overview •  Open source web proxy and web application scanner •  Supports both manual and automated assessment •  Fork of Paros Proxy •  Exposes RESTful API •  Main site: http://code.google.com/p/zaproxy/ 128
  130. 130. © Copyright 2013 Denim Group - All Rights Reserved OWASP ZAProxy - Installation •  Unpack –  tar xzvf ZAP_2.2.2_Linux.tar.gz •  Run –  zap.sh 129
  131. 131. © Copyright 2013 Denim Group - All Rights Reserved OWASP ZAProxy – Usage •  Change your browser to point to ZAP’s proxy –  ZAP defaults to using 8080 which might conflict with local Tomcat installs –  Change proxy port via Tools -> Options -> Local proxy •  Spider •  Passive Scanner •  Active Scanner 130
  132. 132. © Copyright 2013 Denim Group - All Rights Reserved Skipfish - Overview •  Fast web application scanner written in C •  Maintained by Google •  Does a lot of file/directory guessing by default •  Main site: –  https://code.google.com/p/skipfish/ 131
  133. 133. © Copyright 2013 Denim Group - All Rights Reserved Skipfish – Installation and Usage •  Installation –  tar xzvf ~/Downloads/skipfish-2.10b.tgz •  Handle dependencies: –  sudo apt-get install libpcre3-dev –  sudo apt-get install libidn11-dev •  Build: –  make •  Run: –  touch new_dict.wl –  ./skipfish –o output_dir –S existing_dictionary.wl –W new_dict.wl http:// www.example.com/some/starting_path.txt 132
  134. 134. © Copyright 2013 Denim Group - All Rights Reserved Which Open Source Scanner Is Best? •  What Do You Want? –  Coverage –  Low False Positives –  Low False Negatives 133
  135. 135. © Copyright 2013 Denim Group - All Rights Reserved Scanner Coverage •  You can’t test what you can’t see •  How effective is the scanner’s crawler? •  How are URLs mapped to functionality? –  RESTful –  Parameters •  Possible issues: –  Login routines –  Multi-step processes –  Anti-CSRF protection 134
  136. 136. © Copyright 2013 Denim Group - All Rights Reserved Are You Getting a Good Scan? Large financial firm: “Our 500 page website is secure because the scanner did not find any vulnerabilities!” Me: “Did you teach the scanner to log in so that it can see more than just the homepage?” Large financial firm: “…” 135
  137. 137. © Copyright 2013 Denim Group - All Rights Reserved Can Your Scanner Do This? •  Two-step login procedure: –  Enter username / password (pretty standard) –  Enter answer to one of several arbitrary questions •  Challenge was that the parameter indicating the question was dynamic –  Question_1, Question_2, Question_3, and so on –  Makes standard login recording ineffective 136
  138. 138. © Copyright 2013 Denim Group - All Rights Reserved It All Started With A Simple Blog Post… •  Ran into an application with a complicated login procedure •  Wrote blog post about the toolchain used to solve the problem –  http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling- complicated-logins-with-appscan-and-burp-suite.html •  Other scanner teams responded: –  IBM Rational AppScan •  http://blog.denimgroup.com/denim_group/2012/04/automated-application-scanning-handling-complicated- logins-with-appscan-only.html –  HP WebInspect •  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-hp- webinspect.html –  Mavituna Security Netsparker •  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-mavituna- netsparker.html –  NTObjectives NTOSpider •  http://blog.denimgroup.com/denim_group/2012/05/handling-challengeresponse-logins-in-ntospider.html 137
  139. 139. © Copyright 2013 Denim Group - All Rights Reserved Scanner Authentication Scenario Examples •  Built as a response to the previously-mentioned blog conversation •  Example implementations of different login routines –  How can different scanners be configured to successfully scan? •  GitHub site: –  https://github.com/denimgroup/authexamples 138
  140. 140. © Copyright 2013 Denim Group - All Rights Reserved Did I Get a Good Scan? •  Scanner training is really important –  Read the Larry Suto reports… •  Must sanity-check the results of your scans •  What URLs were accessed? –  If only two URLs were accessed on a 500 page site, you probably have a bad scan –  If 5000 URLs were accessed on a five page site, you probably have a bad scan •  What vulnerabilities were found and not found? –  Scan with no vulnerabilities – probably not a good scan –  Scan with excessive vulnerabilities – possibly a lot of false positives 139
  141. 141. © Copyright 2013 Denim Group - All Rights Reserved Low False Positives •  Reports of vulnerabilities that do not actually exist •  How “touchy” is the scanner’s testing engine? •  Why are they bad? –  Take time to manually review and filter out –  Can lead to wasted remediation time 140
  142. 142. © Copyright 2013 Denim Group - All Rights Reserved Low False Negatives •  Scanner failing to report vulnerabilities that do exist •  How effective is the scanner’s testing engine? •  Why are they bad? –  You are exposed to risks you do not know about –  You expect that the scanner would have found certain classes of vulnerabilities •  What vulnerability classes do you think scanners will find? 141
  143. 143. © Copyright 2013 Denim Group - All Rights Reserved Other Benchmarking Efforts •  Larry Suto’s 2007 and 2010 reports –  Analyzing the Accuracy and Time Costs of Web Application Security Standards –  http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf –  Vendor reactions were … varied –  [Ofer Shezaf attended this talk at AppSecEU 2012 and had some great questions and comments. See his reactions to the latest Larry Suto scanner report here : http://www.xiom.com/2010/02/09/wafs-are-not-perfect-any-security-tool-perfect ] •  Shay Chen’s Blog and Site –  http://sectooladdict.blogspot.com/ –  http://www.sectoolmarket.com/ •  Web Application Vulnerability Scanner Evaluation Project (wavsep) –  http://code.google.com/p/wavsep/ 142
  144. 144. © Copyright 2013 Denim Group - All Rights Reserved So I Should Just Buy the Best Scanner, Right? •  Or the cheapest? •  Well… –  What do you mean by “best”? •  Follow-on questions –  How well do the scanners work on your organization’s applications? –  How many false positives are you willing to deal with? –  What depth and breadth of coverage do you need? 143
  145. 145. © Copyright 2013 Denim Group - All Rights Reserved What is a Unique Vulnerability in ThreadFix? •  (CWE, Relative URL) –  Predictable resource location –  Directory listing misconfiguration •  (CWE, Relative URL, Injection Point) –  SQL injection –  Cross-site Scripting (XSS) •  Injection points –  Parameters – GET/POST –  Cookies –  Other headers 144
  146. 146. © Copyright 2013 Denim Group - All Rights Reserved What Do The Scanner Results Look Like? •  Usually XML –  Skipfish uses JSON and gets packaged as a ZIP •  Scanners have different concepts of what a “vulnerability” is –  We normalize to the (CWE, location, [injection point]) noted before •  Look at some example files •  Several vendors have been really helpful adding additional data to their APIs and file formats to accommodate requests 145
  147. 147. © Copyright 2013 Denim Group - All Rights Reserved Why Common Weakness Enumeration (CWE)? •  Every tool has their own “spin” on naming vulnerabilities •  OWASP Top 10 / WASC 24 are helpful but not comprehensive •  CWE is exhaustive (though a bit sprawling at times) •  Reasonably well-adopted standard •  Many tools have mappings to CWE for their results •  Main site: http://cwe.mitre.org/ 146
  148. 148. © Copyright 2013 Denim Group - All Rights Reserved Scanner Benchmarking in ThreadFix •  Upload multiple scans •  Mark false positives •  Run reports 147
  149. 149. © Copyright 2013 Denim Group - All Rights Reserved Let’s Run Our Own Benchmark •  Scan wavsep with: –  w3af –  OWASP ZAP –  Arachni –  Skipfish –  (We package example files in ThreadFix/test-scans/wavsep) •  Upload results to ThreadFix •  Run results 148
  150. 150. © Copyright 2013 Denim Group - All Rights Reserved Current Limitations •  Vulnerability importers are not currently formally vendor-supported –  Though a number have helped us test and refine them (thanks!) –  After you get a good scan make sure you also got a good import •  Summary report should show data by severity rating –  Make it easier to focus on vulnerabilities you probably care more about –  But you can look at the data by vulnerability type 149
  151. 151. © Copyright 2013 Denim Group - All Rights Reserved You Know What Would Make All This Way Easier? •  Common data standards for scanning tools! •  Current efforts: –  MITRE Software Assurance Findings Expression Schema (SAFES) •  http://www.mitre.org/work/tech_papers/ 2012/11_3671/ –  OWASP Data Exchange Format Project •  https://www.owasp.org/index.php/ OWASP_Data_Exchange_Format_Project 150
  152. 152. © Copyright 2013 Denim Group - All Rights Reserved Simple Software Vulnerability Language (SSVL) •  Common way to represent static and dynamic scanner findings •  Based on our experience building importers for ThreadFix –  It “works” for real-world applications because we are essentially using it •  Love to hear feedback –  Folks have been using the GitHub bug tracker to discuss •  Online: –  https://github.com/OWASP/SSVL 151
  153. 153. © Copyright 2013 Denim Group - All Rights Reserved Simple Software Vulnerability Language (SSVL) 152
  154. 154. © Copyright 2013 Denim Group - All Rights Reserved OpenSAMM: Deployment •  Vulnerability Management •  Environment Hardening •  Operational Enablement 153
  155. 155. © Copyright 2013 Denim Group - All Rights Reserved Deployment: Vulnerability Management •  Processing for managing vulnerabilities in both internal and external software •  Goal is consistency •  Use data from vulnerability handling to improve processes –  Decrease number and severity of future vulnerabilities –  Decrease time-to-fix 154
  156. 156. © Copyright 2013 Denim Group - All Rights Reserved Application Vulnerability Management •  Application security teams uses automated static and dynamic test results as well as manual testing results to assess the security of an application •  Each test delivers results in different formats •  Different test platforms describe same flaws differently, creating duplicates •  Security teams end up using spreadsheets to keep track manually •  It is extremely difficult to prioritize the severity of flaws as a result •  Software development teams receive unmanageable reports and only a small portion of the flaws get fixed 155
  157. 157. © Copyright 2013 Denim Group - All Rights Reserved 156 The Result •  Application vulnerabilities persist in applications: **Average serious vulnerabilities found per website per year is 79 **Average days website exposed to one serious vulnerability is 231 days **Overall percentage of serious vulnerabilities that are fixed annually is only 63% •  Part of that problem is there is no easy way for the security team and application development teams to work together on these issues •  Remediation quickly becomes an overwhelming project •  Trending reports that track the number of reduced vulnerabilities are impossible to create **WhiteHat Statistics Report (Summer 2012): https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf
  158. 158. © Copyright 2013 Denim Group - All Rights Reserved 157 Vulnerability Fun Facts: •  Average number of serious vulnerabilities found per website per year is 79 ** •  Serious Vulnerabilities were fixed in ~38 days ** •  Percentage of serious vulnerabilities fixed annually is only 63% ** •  Average number of days a website is exposed, at least one serious vulnerability ~231 days WhiteHat Statistics Report (Summer 2012): https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf
  159. 159. © Copyright 2013 Denim Group - All Rights Reserved Vulnerability Remediation Data Vulnerability  Type   Sample  Count   Average  Fix  (minutes)   Dead  Code  (unused  methods)   465   2.6   Poor  logging:  system  output  stream   83   2.9   Poor  Error  Handling:  Empty  catch  block   180   6.8   Lack  of  Authoriza4on  check   61   6.9   Unsafe  threading   301   8.5   ASP.NET  non-­‐serializable  object  in  session   42   9.3   XSS  (stored)   1023   9.6   Null  Dereference   157   10.2   Missing  Null  Check   46   15.7   XSS  (reflected)   25   16.2   Redundant  null  check   21   17.1   SQL  injec4on   30   97.5   158
  160. 160. © Copyright 2013 Denim Group - All Rights Reserved Where Is Time Being Spent? 159 17% 37% 20% 2% 24% 0% 15% 0% 0% 9% 31% 59% 44% 15% 42% 16% 29% 24% 3% 28% 0% 10% 20% 30% 40% 50% 60% 70% Setup Development Environment Fix Vulnerabilities Confirm Fixes / QA Deploy Overhead Indicates the weighted average versus the average of individual projects
  161. 161. © Copyright 2013 Denim Group - All Rights Reserved Turning Vulnerabilities Into Software Defects •  Security teams talk about “vulnerabilities” •  Software developers talk about “defects” •  Developers Don’t Speak PDF –  http://blog.denimgroup.com/denim_group/2012/11/hey-security-teams-developers-dont-speak-pdf.html •  Why should developers manage 90% of their workload in defect trackers –  And the magic, special “security” part of their workload … some other way? •  ThreadFix lets you slice, dice and bundle vulnerabilities into software defects –  And track their remediation status over time to schedule re-scans 160
  162. 162. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix: Vulnerability Import •  A “channel” is a source of vulnerability data for an application –  With the 1.2 version users no longer have to manually manage channels •  Each import from a channel is “diff’ed” versus the previous scan –  When do vulnerabilities appear? –  When do vulnerabilities go away? •  Can be automated via the RESTful interface to include in build process, etc 161
  163. 163. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix: Defect Tracker Integration •  Turn vulnerabilities that security staff care about into software bugs that developers know how to handle •  Bundle multiple vulnerabilities into a single defect •  How to organize? –  By severity –  By type –  By location in the application –  Some combination •  When the defect status changes you can schedule re-scans 162
  164. 164. © Copyright 2013 Denim Group - All Rights Reserved But My Bug Tracker Isn’t Supported! •  We are always working on supporting new technologies –  Check out the current support list: https://code.google.com/p/threadfix/wiki/DefectTrackers –  Submit a bug to the TheadFix defect tracker https://code.google.com/p/threadfix/issues/list •  You can add new defect trackers as plugins –  No changes to the core codebase required –  For instructions and sample code check out the wiki article: https://code.google.com/p/threadfix/wiki/CustomDefectTrackerGuide 163
  165. 165. © Copyright 2013 Denim Group - All Rights Reserved Deployment: Environment Hardening •  Attackers do not care about applications – attacking infrastructure might be just as effective and valuable for them •  Controls for operating environments: –  Reduce vulnerabilities in the infrastructure –  Enable logging and tracking 164
  166. 166. © Copyright 2013 Denim Group - All Rights Reserved Microsoft Baseline Security Analyzer (MBSA) - Overview •  Runs standard checks on Windows Workstations and Servers –  Internet Explorer –  IIS –  SQL Server •  Checks registry and file settings •  2.2 Downloads: http://www.microsoft.com/en-us/download/details.aspx?id=7558 165
  167. 167. © Copyright 2013 Denim Group - All Rights Reserved Microsoft Baseline Security Analyzer (MBSA) – Installation and Use •  Install via the .msi •  Run scans –  Single machine –  Network of machines •  Review the results 166
  168. 168. © Copyright 2013 Denim Group - All Rights Reserved Deployment: Operational Enablement •  How do you install, configure and run your applications? –  Also updates and upgrades •  Runtime checks and logging for intrusion detection and incident response –  John Dickson has done some work in this area –  http://www.slideshare.net/denimgroup/top-strategies-to-capture-security- intelligence-for-applications 167
  169. 169. © Copyright 2013 Denim Group - All Rights Reserved Continuous Integration and Security Testing •  Reduce the time between introducing security defects and knowing about them •  Free tools mean that any project can be instrumented –  No licensing fees •  ThreadFix has a REST-based API and command-line client for scripting 168
  170. 170. © Copyright 2013 Denim Group - All Rights Reserved Exercise: Script the Scan/Upload Process •  Generate a ThreadFix API key •  Test the command-line client •  Script a web application scan •  Include file upload after scanning 169
  171. 171. © Copyright 2013 Denim Group - All Rights Reserved mod_security - Overview •  Open source web application firewall engine •  Also has a Core RuleSet (CRS) •  Traditionally has been Apache-only –  Runs as an apache module (mod_security) –  Recently announced both IIS and Nginx support •  Main site: http://www.modsecurity.org/ 170
  172. 172. © Copyright 2013 Denim Group - All Rights Reserved Virtual Patching •  Overview •  Applicability •  Approaches 171
  173. 173. © Copyright 2013 Denim Group - All Rights Reserved Overview •  Create short-term protections by telling IDS/IPS/WAFs where vulnerabilities are located and how to detect attacks –  IDS – Intrusion Detection System –  IPS – Intrusion Prevention System –  WAF – Web Application Firewall 172
  174. 174. © Copyright 2013 Denim Group - All Rights Reserved Applicability •  Most applicable for “technical” vulnerabilities –  SQL injection –  Cross-Site Scripting •  Harder to do for application-specific vulnerabilities 173
  175. 175. © Copyright 2013 Denim Group - All Rights Reserved Approaches •  Tell the sensor where the vulnerability is and what an attack looks like •  This rule pattern is useful when you need to protect a known address and a known parameter with a known payload. 174
  176. 176. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix: Virtual Patching •  Use vulnerability data from scans (usually dynamic) to create targeted, application-specific WAF rules •  ThreadFix supports several IDS/IPS/WAF systems –  Snort –  mod_security –  F5 ASM –  Imperva –  DenyAll •  Can also import sensor logs to map blocked attacks back to vulnerabilities targeted 175
  177. 177. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix: Virtual Patching Example •  Example Rule Generation: –  Create a mod_security WAF –  Associate with an application with open vulnerabilities –  Generate rules •  Example Log Import: –  Upload log file –  Look at event data in vulnerability listing –  (This is faked but you hopefully get the idea) 176
  178. 178. © Copyright 2013 Denim Group - All Rights Reserved Program Benchmark Reporting •  How does your software security organization stack up? –  Look at publicly-shared data from WhiteHat and Veracode •  Compare your progress –  Percentage of vulnerabilities fixed –  Time to fix different vulnerability types –  Age of remaining vulnerabilities 177
  179. 179. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix: Reporting Examples •  Can be done at multiple levels: –  Enterprise-wide –  Team –  Individual application •  Reports for: –  Vulnerability count trending –  Progress – vulnerability resolution and timelines –  Scanner effectiveness –  Frequency of scanning across the portfolio •  We have already looked at scanner benchmark reports 178
  180. 180. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix: Reporting: Trending •  Shows trending over time •  Data series: –  Total vulnerabilities –  New vulnerabilities –  Resurfaced vulnerabilities 179
  181. 181. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix: Reporting: Point-in-Time •  Shows current state of vulnerabilities •  Pie chart! –  Critical –  High –  Medium –  Low 180
  182. 182. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix: Reporting: Vulnerability Progress •  Shows progress resolving vulnerabilities •  Data series by vulnerability type: –  Vulnerability count –  Percentage fixed –  Average age to close –  Average age of remaining •  Use to benchmark your organization against publicly-available data –  WhiteHat Security – Website Security Statistics Report https://www.whitehatsec.com/resource/stats.html –  Veracode – State of Software Security Report http://www.veracode.com/reports 181
  183. 183. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix: Reporting: Monthly •  Shows trending on a per-month basis –  Similar to trending report •  Data series: –  Total vulnerabilities –  New vulnerabilities –  Resurfaced vulnerabilities 182
  184. 184. © Copyright 2013 Denim Group - All Rights Reserved ThreadFix: Reporting: Portfolio Tracking •  Shows consistency of scanning across the portfolio •  Broken down by criticality of the application 183
  185. 185. © Copyright 2013 Denim Group - All Rights Reserved Recap •  A software security program is more than a tool or set of tools –  But tools help provide automation and facilitate scale •  OpenSAMM is a maturity model that can be used as a framework for building and advancing software security programs •  Open source tools exist to support many key activities in a software security program 184
  186. 186. © Copyright 2013 Denim Group - All Rights Reserved 185 Conclusions / Questions Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com www.denimgroup.com/threadfix code.google.com/p/threadfix (210) 572-4400

×